Microsoft looks into Windows privilege escalation exploit

Microsoft is tracking a newly discovered zero-day exploit in Windows that can be leveraged to bypass privilege protections to obtain full system control.

The publicly posted exploit works on Vista and Windows 7 systems, according to a blog post from Marco Giuliani, malware technology specialist at security firm Prevx. The vulnerability also affects Windows XP and Server 2008 and 2003.

What makes the bug alarming is that it can be used to run authorized software or programs, even on machines that do not run with administrator rights or contain User Access Control, a feature introduced in Vista that enables administrators to set rights so users can run most applications but with limited privileges.

"Using a limited account gives [users] a great advantage versus malware because it limits the vulnerable surface the malware can damage," Giuliani wrote. "This 0-day exploit allows malware that has already been dropped on the system to bypass these limitations and get the full control of the system."

Microsoft is investigating the vulnerability. Patches from the software giant are next due out on Dec. 14.

"Because this is a local elevation-of-privilege issue, it requires attackers to be already able to execute code on a targeted machine," Jerry Bryant, group manager of response communications at Microsoft, said in a statement sent to SCMagazineUS.com on Monday. "We will continue to investigate the issue and, when done, we will take appropriate action to protect our customers and the internet ecosystem. Microsoft takes any reports of vulnerabilities in our products seriously.

Meanwhile, public exploit code also has emerged for another unpatched Microsoft privilege-escalation bug, this one specific to Stuxnet attacks.

Microsoft first warned about the flaw in September but has yet to deliver a patch.

Get SC Media delivered to your inbox

Whitepaper of the Day

Newswire

Buzz

I would like to receive relevant information via email from Haymarket Media.

SC Media arms cybersecurity professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.